Podcast | The Twitter password leak fiasco and how to stay protected

Twitter then had the audacity to post an accompanying link titled Keeping Your Account Secure. Yeah, people did keep their account secure, you birdbrains. You messed up. If that wasn’t patronising or disingenuous enough, the link leads to a page where the first line reads, and I kid you not, ‘When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it’. And it gets better.

"I’m sorry that this happened," Twitter’s CTO Parag Agrawal tweeted after posting the announcement. "We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do." Didn’t have to. Hmm.

By the way, Twitter’s disclosure came on, drum roll — World Password Day!

I don’t think you really mean that apology, Twitter. Something tells me teetar is trying to get away with some serious sloppiness with just a throwaway apology that doesn’t actually make the issue clear. And then you go and compound that with statements like Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. Well, of course we have to! You guys saved our passwords as a text!

Ok, now that the rant is out of my system, let’s examine what happened. Twitter says ‘We recently identified a bug that stored passwords unmasked in an internal log’.

So twitter masks, or keeps passwords secret, using a process called hashing. This process uses a function called bcrypt. That charmingly named function replaces the actual password that we type into the computer or mobile device with a random set of letters and numbers that are stored in Twitter’s system. The system then validates account credentials without revealing the password. Twitter claims this is standard procedure for the industry.

However, the company revealed yesterday that due to a bug, passwords were written to an internal log before completing the hashing process. To its credit, Twitter discovered this error and removed the passwords. It is now implementing plans to prevent this happening again. But I’m going to play skeptic here and say - whenever a business organization offers up a mea culpa without someone breathing down its neck, bullshit meters go off in more than one place. Suspicious minds would say they knew about this all along but are now trying to mitigate an existing problem. That’s not some nerd conspiracy talk. It’s just that - in light of Facebook and Cambridge Analytica’s distasteful jugalbandi, we have no reason to trust any of these companies. Well, ok, a little bit of conspiracy theory in there, but can you really blame me?

Getting back to the subject, Twitter claims there is no evidence of a breach, but at least one media report noted that the error would have allowed any snoopers inside the system to scoop up unprotected passwords with ease.

Now, we know there are passwords and then there are passwords. In what some termed a ‘twitter heist’ in 2016, stolen passwords of 33 million users, the eventual news shifted from the theft to the ridiculous passwords themselves.

Some of the more technologically challenged individuals have been famously using passwords like 1234356, or 12345678 if the password field requires 8 characters. Others have used the word password as a password. Many people just use dragon as their password. GoT fans, obviously. I bet there’s a bunch of Khaleesis too. Idiots! They know nothing! Back then too, Twitter said it was confident that its system wasn’t breached. I knew I heard that line before! Turns out it was Twitter in 2016.

On a more serious note, even with no evidence of an actual breach, this incident or bug serves as a good reminder for some basic security hygiene.

Use unique passwords for every service; a password manager can help you keep track of them all.

Turn on two-factor authentication where available. Yes, it is available on Twitter. Look at what other apps that have access to your account. These apps, if they're insecure themselves, can offer hackers a limited way into your account without ever having to figure out your password.

"It's a bad thing and Twitter should be held to the fire for it," says David Kennedy, CEO of the penetration testing firm TrustedSec. "But they are taking the right steps by requesting everyone change their password and making the bug public versus hiding it.” Penetration testing firm? There’s a chastity belt joke somewhere around here. If only I could find the key.

Twitter, on its part, has started notifying mobile and desktop users to change their passwords. So here’s what you should do. Login to your Twitter account, click on Settings, then privacy, then Password. Enter your current password and then pick a new one. Just to be safe, if you have ever used your old Twitter password for any other account, you should change that as well.

My favorite part of the story is the very first response on twitter to this tweet. One Miss Kathleen Burns tweeted I don't even remember my password.

Of course, the comment section eventually digressed into Anti & Pro Trump, Israel-Palestine, too many repetitive GIFs, the customary Spanish or Portuguese guy whom nobody understands, and desi dude boys who want to make fraandship everywhere. God, I love twitter comments. What a gloriously funny way to come to the realization the human race has no hope. Entropy is the only truth.

So yeah, in summary, change your passwords, people. Keep it complicated.